Below table would give in various security features provided by Mongo:
We can enable authorization for a mongo instance if we use -auth parameter in the startup of mongod deamon.
$ mongod --dbpath ~/db_loc --logpath ~/sec.log --fork --auth --port 27227
Or we can also set authorization: "enabled" in the config file.
Once started with -auth parameter we will not be able to do read/write over the databases/collection unless we have the required privileges:
> db.foo.insert({x:1})
WriteResult({
"writeError" : {
"code" : 13,
"errmsg" : "not authorized on test to execute command { insert: \"foo\", ordered: true, $db: \"test\" }"
}
})
So before starting the database in -auth mode, we need to create a super user who would be the db admin for the mongo instance and would do the role management, administrative actions ,etc.
So to enable security features in mongo follow the below steps:
1. Start the mongo database without any auth parameter.
2. Login to mongo shell and create a super user account
$mongo
>use admin
>db.createUser({
user:"sr",
pwd:"sr123",
roles:[{
role:"root",db:"admin"
}]})
>exit
3.Restart the mongo server with -auth parameter
>db.shutdownServer()
$mongod --auth
4.Login using the new super user created
mongo -u sr -p sr123 --authenticationDatabase admin
By using this login session we can run admin commands such as:
listDatabases
dbStats
listIndexes
listCollections
viewUsers
We can create a normal user with read write privilege to a particular database by :
1. $mongo -u sr -p sr123 --authenticationDatabase admin
2. use accounts
3.db.createUser({
user: "gal"
pwd:"galer",
roles:["readWrite"]
})
4. Now we can login to a new mongo shell with the new user pass and do read write operations on the accounts database
$mongo -u gal -p galer --authenticationDatabase accounts
* We can switch to another user while being in the mongo shell by using
> db.auth('sr','sr123')
* To logout from the session we can use:
>db.logout()
* To change the password for a user we can use:
>db.changeUserPassword("user","pass")
We can create
var me = { user: "raj" , pwd : "raj123" , roles :[ "userAdminAnyDatabase"]}
var me = { user: "raj" , pwd : "raj123" , roles :[ "dbAdminAnyDatabase"]}
var w = { user: "nair" , pwd : "raj123" , roles :[ "readWriteAnyDatabase"]}
> use test
var a = { user: "maya" , pwd : "raj123" , roles :[ "readWrite"]} - for access only to test database(create using user var- me)
db.createUser(
{
user: "reportsUser",
pwd: "12345678",
roles: [
{ role: "read", db: "reporting" },
{ role: "read", db: "products" },
{ role: "read", db: "sales" },
{ role: "readWrite", db: "accounts" }
]
}
)
> db.createUser(me)
Successfully added user: { "user" : "raj", "roles" : [ "userAdminAnyDatabase" ] }
$ mongo localhost:27227/admin -u raj –p
Roles:
--keyFile <fname> - to tell mongodb clusters to communicate among themselves using shared secret key.
To provide authorization
> db.auth("raj","raj123")
Users –
• Admin User –can do administration, created in admin database,can access all databases
• Regular User – access specific database,read/write or read only
SSL and KeyFiles
Key File – ensures members of clusters are legitimate.
Auth – authentication and authorization for client.
Scons –ssl – for encrypted data between client and shard servers and between shard servers.
Intra-Cluster Security
$mongod --dbpath /home/azureuser/data2 --port 27002 --auth --replSet z --keyFile /home/azureuser/data/keyfile --logpath /home/azureuser/data2/data.log –fork
Authentication
Authentication default mechanism used is SCRAM( Salted Challenge Response Mechanism),
basically password security.
Community version has x.509 , which uses certification for authentication
Enterprise includes two additional authentication mechanism LDAP & KERBEROS.
Mongodb also supports cluster authentication mechanism for communcation between clusters.
Authorization
Mongo db uses role based access control for a high level of responsibility isolation for operational tasks.
We can enable authorization for a mongo instance if we use -auth parameter in the startup of mongod deamon.
$ mongod --dbpath ~/db_loc --logpath ~/sec.log --fork --auth --port 27227
Or we can also set authorization: "enabled" in the config file.
Once started with -auth parameter we will not be able to do read/write over the databases/collection unless we have the required privileges:
> db.foo.insert({x:1})
WriteResult({
"writeError" : {
"code" : 13,
"errmsg" : "not authorized on test to execute command { insert: \"foo\", ordered: true, $db: \"test\" }"
}
})
So before starting the database in -auth mode, we need to create a super user who would be the db admin for the mongo instance and would do the role management, administrative actions ,etc.
So to enable security features in mongo follow the below steps:
1. Start the mongo database without any auth parameter.
2. Login to mongo shell and create a super user account
$mongo
>use admin
>db.createUser({
user:"sr",
pwd:"sr123",
roles:[{
role:"root",db:"admin"
}]})
>exit
3.Restart the mongo server with -auth parameter
>db.shutdownServer()
$mongod --auth
4.Login using the new super user created
mongo -u sr -p sr123 --authenticationDatabase admin
By using this login session we can run admin commands such as:
listDatabases
dbStats
listIndexes
listCollections
viewUsers
We can create a normal user with read write privilege to a particular database by :
1. $mongo -u sr -p sr123 --authenticationDatabase admin
2. use accounts
3.db.createUser({
user: "gal"
pwd:"galer",
roles:["readWrite"]
})
4. Now we can login to a new mongo shell with the new user pass and do read write operations on the accounts database
$mongo -u gal -p galer --authenticationDatabase accounts
* We can switch to another user while being in the mongo shell by using
> db.auth('sr','sr123')
* To logout from the session we can use:
>db.logout()
* To change the password for a user we can use:
>db.changeUserPassword("user","pass")
We can create
var me = { user: "raj" , pwd : "raj123" , roles :[ "userAdminAnyDatabase"]}
var me = { user: "raj" , pwd : "raj123" , roles :[ "dbAdminAnyDatabase"]}
var w = { user: "nair" , pwd : "raj123" , roles :[ "readWriteAnyDatabase"]}
> use test
var a = { user: "maya" , pwd : "raj123" , roles :[ "readWrite"]} - for access only to test database(create using user var- me)
db.createUser(
{
user: "reportsUser",
pwd: "12345678",
roles: [
{ role: "read", db: "reporting" },
{ role: "read", db: "products" },
{ role: "read", db: "sales" },
{ role: "readWrite", db: "accounts" }
]
}
)
> db.createUser(me)
Successfully added user: { "user" : "raj", "roles" : [ "userAdminAnyDatabase" ] }
$ mongo localhost:27227/admin -u raj –p
Roles:
--keyFile <fname> - to tell mongodb clusters to communicate among themselves using shared secret key.
To provide authorization
> db.auth("raj","raj123")
Users –
• Admin User –can do administration, created in admin database,can access all databases
• Regular User – access specific database,read/write or read only
SSL and KeyFiles
Key File – ensures members of clusters are legitimate.
Auth – authentication and authorization for client.
Scons –ssl – for encrypted data between client and shard servers and between shard servers.
Intra-Cluster Security
$mongod --dbpath /home/azureuser/data2 --port 27002 --auth --replSet z --keyFile /home/azureuser/data/keyfile --logpath /home/azureuser/data2/data.log –fork
Comments
Post a Comment